50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac

Analysis

max time kernel
168s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe
Size

495KB
MD5

43d968d30264819e9bfe80882bdb3830
SHA1

61f2e03685e04e480c5831822d08f69eb5d557a9
SHA256

50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac
SHA512

45b7914ae399ccad5e93288964066ca9d289934cf100c0da303989d955df4face7e985c306b8fb6fa931b1eb5646631846bdc7c1576476b565503e5d6ac2d12d
SSDEEP

6144:1nIgK54IQzeeeL4/Q2orPIwap3vh3hA2tfUV:1IgKKM4YJgd2IfU

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe
File created	C:\Windows\assembly\Desktop.ini	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	736	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe
Token: 33	736	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe
Token: SeIncBasePriorityPrivilege	736	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 1404	736	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	83
PID 736 wrote to memory of 1404	736	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	83
PID 1404 wrote to memory of 4296	1404	csc.exe	87
PID 1404 wrote to memory of 4296	1404	csc.exe	87
PID 736 wrote to memory of 4116	736	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	92
PID 736 wrote to memory of 4116	736	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	92
PID 4116 wrote to memory of 1860	4116	csc.exe	95
PID 4116 wrote to memory of 1860	4116	csc.exe	95

C:\Users\Admin\AppData\Local\Temp\50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe
"C:\Users\Admin\AppData\Local\Temp\50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zxjlls5a.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC00.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCABD0.tmp"
    3⤵
    PID:4296
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jw7dml1r.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6676.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6675.tmp"
    3⤵
    PID:1860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6676.tmp

Filesize
1KB

MD5
631585de6269ac7c7a3cd32490a1d0be

SHA1
41f917fdabb23acdbc638c0bd9c97aebebb327d7

SHA256
ee835850baa1f64b9eedaefe31ad739c3c66721c5915820fae4e4b627292137a

SHA512
1e3609944825d3dabf268392fa229a1833e8542afbec06b1d079d268f8c8857e0e536f3ab854827d22e3e0b55f4a7ec4cb22b91f2e19ac8c0435e6a29d0f386f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAC00.tmp

Filesize
1KB

MD5
7a8c59f2ea674b059741543ec1acf0b1

SHA1
eef6a343e98f51a618a4d535f7e2d6e4f09647e4

SHA256
da785934111f0c16c07f41a1152b9ec799f0e22f453b2e04be84af009496cb39

SHA512
753d8b2bb6a5907bc95c4acc8bf346d39d844c3caf820ee7a236d0ffa354b1c32f28761dd2bd93a34c29166312c53b212320869bf635e571baad4a908af212b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jw7dml1r.dll

Filesize
9KB

MD5
c028d500a32fb625541d1bb63723807d

SHA1
53eca7cc3316fb1940dc992ffa76e9d60469be23

SHA256
86250bbc443812599ad9434a2b49b50885452e1965f1d51af178a4313617d8de

SHA512
f03c9729fa78a16ffeb511b63c4c3f1b25763714404deb797e239cef137ef9d03ed712f22f1bd3ba99a06d1157c8c826c08f5f5c744727fad31913351a761e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxjlls5a.dll

Filesize
8KB

MD5
7d3666197f10e0170035b128e349cea4

SHA1
8d468c4e9f86b0513fe6b7fd3db50144f37791c4

SHA256
1f9dbf63bdb20b71300937409a7fbbe2b2ca63c771317305f0540e4061088160

SHA512
47606a6cf7a10e79bc70cfb2efe7762f170645a9b6b95f0c37bf93e56ea0e7e88c2dea98b1cadb345cd64b44e9926cadaf380cf2d1ee53cc75d016d4ca6507a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6675.tmp

Filesize
652B

MD5
ce5470dbeee68f670c8f610c82a95b05

SHA1
f73850476bd21058677444639a628985ba737599

SHA256
a190aaea6916aa2c8a3d526495692061b3d991ecb197269185e76fc41b57ebed

SHA512
7d0adf1f6c1cb0ccfd9d6296bd154ae9527793572cea756de2a847ed110317282170f54b543cd5e28630ba263b17f62490ab5499e2e83c8a38240d4b1f2bb2b8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCABD0.tmp

Filesize
652B

MD5
2f5c1e3a369ec1e8b0b2107251676c2b

SHA1
0e5e2e7116b7ee1fbe786bbbfe78c2498ffea3f7

SHA256
29927acd38cd5c6dca29a4c6d393a5057dd5232777d12f0b5a6240822310ddcf

SHA512
ccb9c97d9cfc454665b38bf943f27a5616013c4b891d9d770ee49e342aae0e98cad073c5ee4e9b4fe2f271c0a1608d31353ff97c928d6a43f302e79c5ffd65b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jw7dml1r.0.cs

Filesize
11KB

MD5
c0fba29ec46878d261eb0dd505b8c60e

SHA1
8748352169d19bc5be2c949faa1d44badc3bde0b

SHA256
fdb1a1f67d6bee13bf41ab4afb30fd193c7a1f5d8da093bf545b065f632b6136

SHA512
1d658cd2cec215458d31eced225eb38665eb7cba1f95659339711ac9cda5fddbc38006d324c9c64a53bfd08aa77f54f2341ade6907534949ec87d91507bc7990

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jw7dml1r.cmdline

Filesize
639B

MD5
0b5c0d0f66bba39b92a618e9083991a7

SHA1
a813097bb09b97c52ecdac461ab0b0cdd56be6ad

SHA256
072ffbfc1bfddd7f84a6d63c92ec4a9913178e6ce17418bf50a15132aa2df90d

SHA512
1b3eff5075b6e6c2c27de0bb00c44fe40f15bef0ac89d83207ac2579eb03923a1785933cc0dc014958a33fab0ee5c28010681cbd62f27a6150930b7ebc6d797f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zxjlls5a.0.cs

Filesize
10KB

MD5
9fbaa2dcc7b87e018e2b4b2deeaa1308

SHA1
9675bf37be0b5da406f9e210ab6d8780b8fb7577

SHA256
9ea1a2b588c629db021452f736dfdbb4599a37edb41dd4e49ed1f002a8c43f14

SHA512
23eecb3c441dab7059111471d3f4829456844c5c3c689cb9dfd004f57007495cff375da01df3fc31ff5958d3fcfc63d193ea356293a21c5468bdeac765bcfaf1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zxjlls5a.cmdline

Filesize
639B

MD5
f2de75a6e8cb3aefd215ff98990c123c

SHA1
e0622812c4fe3a1355b0ad3c71171a531539181e

SHA256
1058b44210841d9cccb7d9fd2ba2cd78852d1e8697b90fae4c9db5da679599ed

SHA512
5b757c04ef4ba2b0b0be1db6477a2e304c307f6f74f59f5ace94157028eb00480165089995de47a7e174e136986404fd208e32d7c06d2dd2b17c5346fff7fddc

Download Submit
memory/736-137-0x000000001C080000-0x000000001C180000-memory.dmp

Filesize
1024KB

Download
memory/736-138-0x000000001C080000-0x000000001C180000-memory.dmp

Filesize
1024KB

Download
memory/736-132-0x00007FFF6D9F0000-0x00007FFF6E426000-memory.dmp

Filesize
10.2MB

Download
memory/736-136-0x0000000000CFA000-0x0000000000CFF000-memory.dmp

Filesize
20KB

Download
memory/736-135-0x000000001C080000-0x000000001C180000-memory.dmp

Filesize
1024KB

Download
memory/736-134-0x000000001C080000-0x000000001C180000-memory.dmp

Filesize
1024KB

Download
memory/736-133-0x0000000000CFA000-0x0000000000CFF000-memory.dmp

Filesize
20KB

Download
memory/736-153-0x0000000000CFA000-0x0000000000CFF000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads